A detailed investigation by Motherboard has revealed that hackers can find their way around SMS-based two-factor authentication by stealing a target’s phone number and reassigning it to a different SIM card. They can then use it to reset passwords and sell stolen accounts online for bitcoin. Instagram has now confirmed that it’s developing a safer, non-SMS-based two-factor authentication system.
The investigation mentioned that Instagram accounts were particularly vulnerable since the app only provides two-factor authentication through SMS that delivers the login code or password reset through text message.
The Facebook-owned service has now confirmed to TechCrunch that it’s developing a non-SMS-based two-factor authentication system which works with security apps such as Google Authenticator. They generate a special code which users need to log in. The code can’t be generated on another device if the number is stolen and reassigned to a hacker’s SIM card.
Jane Manchun Wong, who has developed a reputation for digging into apps to find unreleased features, has found a prototype of the upgraded two-factor authentication feature in Instagram for Android’s APK.
A spokesperson for Instagram has confirmed that this feature is indeed being developed. “We’re continuing to improve the security of Instagram accounts, including strengthening 2-factor authentication,” the spokesperson added. It’s unclear at this point in time, though, when this feature is going to be rolled out for all users.